Date: Sun, 25 May 2014 19:42:16 +0200 From: Oliver Pinter <oliver.pntr@gmail.com> To: =?ISO-8859-1?Q?Dag=2DErling_Sm=F8rgrav?= <des@des.no> Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, freebsd-stable@freebsd.org, dim@freebsd.org, Shawn Webb <lattera@gmail.com> Subject: Re: [CFT] ASLR, PIE, and segvguard on 11-current and 10-stable Message-ID: <CAPjTQNE6V%2BMAMg4KODVhLckq9p=kpKZPmSK=LEtQkcfZqVi7SA@mail.gmail.com> In-Reply-To: <86a9a56ac6.fsf@nine.des.no> References: <20140514135852.GC3063@pwnie.vrt.sourcefire.com> <CAPjTQNG9pGLbDF7a8b%2B9s_NRD3Rq-sLnj7AXczjB=Ko_S44C3A@mail.gmail.com> <86a9a56ac6.fsf@nine.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On 5/25/14, Dag-Erling Sm=F8rgrav <des@des.no> wrote: > Oliver Pinter <oliver.pntr@gmail.com> writes: >> PAX LOG: implement new logging subsystem >> PAX LOG: fix pax_ulog_segvguard >> PAX LOG: added sysctl's and tunables >> PAX ASLR: use PAX LOG >> PAX LOG: fix pax_ulog_##name() >> PAX LOG: fix prison init >> PAX LOG: fixed log and ulog sysctl > > What exactly is the purpose of PAX LOG? Have you considered using > ktrace instead? pax_log will be in future a generic pax related logging framework, with ratelimiting and other features. It will log user, IP, binary name, path, checksum, and others. > >> PAX: blacklist clang and related binaries from PIE support > > Why? Performance, or do they actually break? No. If you definded WITH_CLANG_EXTRAS=3D in src.conf, the breaked the build= . (added dim@ to CC) --- usr.bin.all__D --- /usr/obj/usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint/.= ./../../lib/clang/libllvmirreader/libllvmirreader.a: could not read symbols: Bad value c++: error: linker command failed with exit code 1 (use -v to see invocatio= n) *** [bugpoint] Error code 1 bmake[5]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint 1 error bmake[5]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/bugpoint *** [all_subdir_bugpoint] Error code 2 bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/cla= ng --- usr.sbin.all__D --- A failure has been detected in another branch of the parallel make bmake[5]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/acpi/iasl *** [all] Error code 2 bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/ac= pi 1 error bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin/ac= pi *** [all_subdir_acpi] Error code 2 bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin 1 error bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.sbin *** [usr.sbin.all__D] Error code 2 bmake[2]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git --- usr.bin.all__D --- --- all_subdir_tblgen --- A failure has been detected in another branch of the parallel make bmake[5]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/clang/tblgen *** [all_subdir_tblgen] Error code 2 bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/cla= ng 2 errors bmake[4]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin/cla= ng *** [all_subdir_clang] Error code 2 bmake[3]: stopped in /usr/data/source/git/opBSD/hardenedBSD.git/usr.bin > >> PAX ASLR: Blacklist the applications that don't support being buil= t >> as a position-independent executable > > "don't support" as in you have tested them and confirmed that they break > in some way? Could you post your test methodology so people can > replicate the failures and look into fixing them? > >> PAX ASLR: Use a full kernel config for LATT-ASLR > > What is the difference between LATT-ASLR and OP-ASLR, and why not just > "include GENERIC"? You know about "nooptions", right? In upstreamed patch will be removed this kernel configs. These are Shawn's and my kernel config. > >> Revert "PAX: blacklist clang and related binaries from PIE support= " >> Revert "Revert "PAX: blacklist clang and related binaries from PIE >> support"" > > Hmm... See above. > > DES > -- > Dag-Erling Sm=F8rgrav - des@des.no >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAPjTQNE6V%2BMAMg4KODVhLckq9p=kpKZPmSK=LEtQkcfZqVi7SA>